TlsException Unknown CA OSX

[asamiam]

I'm still getting this error on OSX (works fine on Windows). It handles stackage.org fine (0.1.0.0 didn't, but upgrading to 0.1.1.0 fixed that), but now it dies on GHC:

Preparing to download ghc-7.8.4 ...TlsException (HandshakeFailed (Error_Protocol ("certificate has unknown CA",True,UnknownCa)))

[snoyberg]

@manny-fp As our resident Mac tester, any thoughts?

[snoyberg]

And @aceLren Could you run the debugging instructions from https://github.com/vincenthz/hs-tls#common-issues against www.haskell.org?

[vincenthz]

This is an issue with what's trusted in the system certificates once again. My osx machine has the right certificates in the keychains, not sure which process is updating it on osx. Is this a brand new osx installation ? or a really old one ?

[asamiam]

This is a new installation but I think it has to do with my corporate proxy. It's working fine right now (I'm at home) so I can't reproduce it, but I'll try on Monday. Thanks for being so responsive - Stack is really awesome!

[vincenthz]

That sounds like one of those tls proxy that do certificates MITM with a company's root certificate installed on company machines. You could use tls-retrievecertificate to see if that's the case; You should see something different on the chain when you're in the corporate network (vs home).

[asamiam]

Got it, yes that sounds right.

[borsboom]

I'm unclear about where hs-tls looks for its root CA certificates on OS X, but in theory if you put the MITM certificate wherever that is, it should work.

[snoyberg]

@aceLren Any success with this?

[asamiam]

I ran tls-retrievecertificate (after building with a previous cabal / ghc installation) but it resulted in:

tls-retrievecertificate: HandshakeFailed (Error_Packet_Parsing "Failed reading: invalid header type: 72\nFrom:\theader\n\n")

I've tried a couple other things but haven't been able to get the certificate to work; still getting the same error.

Btw what changed between 0.1.0.0 and 0.1.1.0? It fixed this issue for Stackage, maybe the same thing would fix it for GHC?

[snoyberg]

The change on stackage.org is that we stopped using stackage.org completely. Instead, all files are downloaded from S3.

This error report looks like it might need to get moved to the hs-tls issue tracker, I'm not sure how much else we can do here.

[snoyberg]

Closing, if the issue still exists please reopen.

[ssgreg]

Hi guys. The same problem. Trying to connect to (gateway.sandbox.push.apple.com:2195):
HandshakeFailed (Error_Protocol ("certificate has unknown CA",True,UnknownCa))

tls-retrievecertificate gateway.sandbox.push.apple.com 2195 --chain --verify
returns
connecting to gateway.sandbox.push.apple.com on port 2195 ... tls-retrievecertificate: HandshakeFailed (Error_Packet_unexpected "Alert [(AlertLevel_Fatal,HandshakeFailure)]" " expected: change cipher")